Platform: Code4rena
Start Date: 03/05/2023
Pot Size: $60,500 USDC
Total HM: 25
Participants: 114
Period: 8 days
Judge: Picodes
Total Solo HM: 6
Id: 234
League: ETH
Rank: 91/114
Findings: 1
Award: $36.24
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: rbserver
Also found by: 0xnev, ABAIKUNANBAEV, Audit_Avengers, Aymen0909, BGSecurity, BRONZEDISC, Bason, DadeKuma, GG_Security, Jerry0x, Jorgect, MohammedRizwan, REACH, Sathish9098, Shogoki, T1MOH, UniversalCrypto, aviggiano, ayden, berlin-101, bytes032, codeslide, descharre, fatherOfBlocks, hals, kaveyjoe, kodyvim, lfzkoala, lukris02, nadin, naman1778, patitonar, pontifex, sakshamguruji, squeaky_cactus, teawaterwire, wonjun, yjrwkk
36.2377 USDC - $36.24
QA:
positionIndexes & positions should be deleted for the specified tokenIdmemorializePositions doesn't check params_.indexes.length > 0 which will means this function can burn gasmoveLiquidity doesn't check that fromPosition.bucketLp > 0PositionManager.sol#moveLiquidity
moveStakedLiquidity will revert if RewardsManager hasn't been approved due to mayInteract modifiermoveStakedLiquidity calls _transferAjnaRewards twice in a single call, potentially inflating the amount of rewards sent to msg.senderRewardsManager.sol#moveStakedLiquidity
stake function directly. _isApprovedOrOwner should be used instead of ownerOfAlso note if this change is implemented then RewardsManager.sol#250 will need to change from msg.sender to the owner of the NFT
positionManager.getPositionIndexes(tokenId_); may not return the same index recorded at the time of stakingLow:
#0 - c4-judge
2023-05-18T19:15:20Z
Picodes marked the issue as grade-b